please assist me on parsing mail logs using Loki & Grafana :)
My logging server collects maillog files from Linux server, and I want to use Loki to check status (sent, deferred, etc) of messages from specific user.
The problem is that mail logs are divided into different log lines and I need to correlate different log lines using message id (40F36420E05 in text below):
Jun 9 22:38:36 mail postfix/smtp[376635]: 40F36420E05: to=<otheruser@domain2>, relay=domain3[11.11.11.11]:25, delay=13, delays=0.58/0/4.6/7.8, dsn=2.6.0, status=sent (250 2.6.0 <20220609193823.D980A420E06@mail> [InternalId=13731010457062, Hostname=XXX] 15472 bytes in 0.524, 28.786 KB/sec Queued mail for delivery)
Jun 9 22:37:35 mail postfix/qmgr[193514]: 40F36420E05: from=<user@domain>, size=4496, nrcpt=1 (queue active)
Jun 9 22:37:35 mail opendkim[251972]: 40F36420E05: DKIM-Signature field added (s=mail, d=domain)
Jun 9 22:37:35 mail postfix/cleanup[376634]: 40F36420E05: message-id=<20220609193735.40F36420E05@mail>
Jun 9 22:37:35 mail postfix/submission/smtpd[376557]: 40F36420E05: client=compute-1.amazonaws.com[44.11.11.11], sasl_method=PLAIN, sasl_username=user
I'm using this query to find required mail messages and regexp function to extract messageid label:
{host="mail.com"} |~"from=<user@domain>" | regexp "(?P<messageid>\\S+): from="
Jun 9 22:59:58 mail postfix/qmgr[377114]: 40F36420E05: from=<user@domain>, size=11916, nrcpt=1 (queue active)
Jun 9 22:59:58 mail postfix/qmgr[377114]: C3E5D420E05: from=<user@domain>, size=9622, nrcpt=1 (queue active)
Jun 9 22:59:57 mail postfix/qmgr[377114]: 27057420E07: from=<user@domain>, size=6695, nrcpt=1 (queue active)
Now I want to fetch all log lines containing with all messageid labels extracted from previous query. Like {host="mail.com"} |~"from=<user@domain>" | regexp "(?P<messageid>\\S+): from="} | messageid={list_of_parsed_messageids}
How can I achieve that? Thanks!